Monthly Archives: July 2009

In an environment where every computer that you have is a PC and every computer is attached to your domain, password expiration is handled for you. If a users password is about to expire they are notified every time they log on and are forced to change it after it has expired.

Today, a network full of PC’s isn’t always feasible and, in some cases, adding the machine to the domain isn’t acceptable. I have worked in environments where every user had a laptop which could not be added to the domain. I have also worked in an environment where there were just as many Macs as PCs. I had to answer a question that I feel many admins will have to face in the next few years:

How do you manage password expiration for users that cannot be added to the domain?

There are a few restrictions that I placed on myself for this:

1) The solution should have a minimal impact on security.

2) The solution should preserve the use of SSL IMAP and SSL STMP for the users that require it.

3) The solution should require minimal maintenance.

4) The solution should be automated.

My answer to this was an automated password expiration email reminder and enabling password changing through OWA.

Scouring the web, I found a few pay for solutions, but I truly felt like this should be a feature that was included within windows.

EMAIL_SERVER sets the SMTP server that the email should be sent through
EMAIL_FROM sets the from address
OWA_STRING sets the owa address
FIRST_REMINDER_DAY sets the first day that the reminder should go out
START_REMINDER_DAYS sets the first day that the user should receive continuous reminders until the password has expired
In this case, the user would receive a reminder 10 days before the password expired and then on the 7th, 6th, 5th… until the password did expire.
LOG_PATH sets where the logs will be stored
APPEND_DATE allows you to append the run date to the end of the log so that you can have an archive
DEBUG_MODE sends all of the emails to the DEBUG_EMAIL if it is not set to 0
DEBUG_EMAIL is where you would get the password expiration emails if DEBUG_MODE is set

Set this vb script to run as a scheduled task under a domain admin account every day and your users will now get password expiration emails.

Privilege escalation is usually a topic when discussing UNIX based systems. Due to the fact that the default setting in windows is to run as a full administrator escalating your privileges seems fairly pointless. Most exploits in windows systems occur on service accounts which generally have full control on a system, most services in UNIX based systems, on the other hand, run under dedicated accounts with limited rights.

So the questions are:

1) What are the benefits of escalating your privileges in windows?

2) How do you escalate your privileges?

What are the benefits of escalating your privileges?

When you are already running as a full administrator on your system where can you go from there? Isn’t administrator the top echelon of the rights totem pole?

While the administrator account has the highest user privileges on a system, there is one account that has slightly higher privileges, the windows system account. When running as the windows system account you are essentially running as the system.

How do you escalate your privileges?

The process is quite simple actually; you need to get the system account to run a program that you can interact with. This is where the “at” command comes into play. The “at” command schedules a task as a specific time, unlike the “schtasks” command which runs a job under the account that scheduled it, the “at” command runs it as “SYSTEM”.

Open a command prompt and type:

at 13:01 /interactive cmd

This schedules a task to open up a command prompt window at 1:01 pm and sets it to run in interactive mode. You will notice that a standard command prompt has the title of “C:WINDOWSsystem32cmd.exe”, the new command prompt window will have a title of “C:WINDOWSSystem32svchost.exe”.

When loading task manager you will notice that the “cmd.exe” process is running under the “SYSTEM” account.

From here you can end your explorer.exe process and run explorer in the escalated command prompt. This will run explorer as the system, you can confirm this using the task manager or if you have a theme that shows your username in the start menu you will notice that in place of your username, it will say “SYSTEM”.